Existing smart contract vulnerability detection methods struggle to identify defects tightly coupled with project-specific business logic, particularly in DeFi applications. This work proposes a novel paradigm that integrates audit knowledge graphs with multi-agent collaborative reasoning: by constructing a knowledge graph from historical audit reports, it abstracts shared DeFi semantics and vulnerability patterns to guide multiple agents in iteratively performing specification generation, test case synthesis, fuzz execution, and reflective optimization. This approach represents the first integration of DeFi semantic abstraction with a multi-agent framework, enabling cross-project vulnerability transfer and precise detection. Empirical evaluation shows that the method identifies all 14 high-severity and 77% of medium-severity vulnerabilities across 12 Code4rena projects with only two false positives, and further uncovers 12 previously unknown high-severity and 10 medium-severity vulnerabilities in six real-world projects.

Smart contracts govern billions of dollars in decentralized finance (DeFi), yet automated vulnerability detection remains challenging because many vulnerabilities are tightly coupled with project-specific business logic. We observe that recurring vulnerabilities across diverse DeFi business models often share the same underlying economic mechanisms, which we term DeFi semantics, and that capturing these shared abstractions can enable more systematic auditing. Building on this insight, we propose Knowdit, a knowledge-driven, agentic framework for smart contract vulnerability detection. Knowdit first constructs an auditing knowledge graph from historical human audit reports, linking fine-grained DeFi semantics with recurring vulnerability patterns. Given a new project, a multi-agent framework leverages this knowledge through an iterative loop of specification generation, harness synthesis, fuzz execution, and finding reflection, driven by a shared working memory for continuous refinement. We evaluate Knowdit on 12 recent Code4rena projects with 75 ground-truth vulnerabilities. Knowdit detects all 14 high-severity and 77\% of medium-severity vulnerabilities with only 2 false positives, significantly outperforming all baselines. Applied to six real-world projects, Knowdit further discovers 12 high- and 10 medium-severity previously unknown vulnerabilities, proving its outstanding performance.